redline | 21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0

Analysis

max time kernel
133s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe
Size

1.2MB
MD5

c03feaebce0439a71d8646cc4991f3e5
SHA1

62e84fa679682245900955bf440565316b9c5669
SHA256

21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0
SHA512

e82560bea25e46c88c16a5a5b6e3eb4bfae3f5482e3f6f459599ec420cb7070cee99728e5c667b771869b564d1c76f3bd961de1edb53db32c2edfaa17e79a691
SSDEEP

24576:OynG4mCWtu0+PZpDFpSgEjlDrRANxNrr1N7pgmq/TjvBEUSfxzk:dnGGzRbEjhUjLqdL9U

Score

10^/10

redline gena life infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gena

185.161.248.73:4164

Attributes

auth_value
d05bf43eef533e262271449829751d07

Extracted

Family

redline

Botnet

life

185.161.248.73:4164

Attributes

auth_value
8685d11953530b68ad5ec703809d9f91

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral2/memory/4592-2337-0x00000000052A0000-0x00000000058B8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s12149436.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s12149436.exe

Executes dropped EXE 6 IoCs

Processes:

z51124290.exez25097920.exez49628910.exes12149436.exe1.exet01272710.exe

pid process

2412 z51124290.exe
1420 z25097920.exe
2736 z49628910.exe
324 s12149436.exe
4592 1.exe
2784 t01272710.exe

pid	process
2412	z51124290.exe
1420	z25097920.exe
2736	z49628910.exe
324	s12149436.exe
4592	1.exe
2784	t01272710.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z49628910.exe21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exez51124290.exez25097920.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z49628910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z49628910.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z51124290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z51124290.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z25097920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z25097920.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2232 324 WerFault.exe s12149436.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s12149436.exe

description pid process

Token: SeDebugPrivilege 324 s12149436.exe

pid	pid_target	process	target process
2232	324	WerFault.exe	s12149436.exe

description	pid	process
Token: SeDebugPrivilege	324	s12149436.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exez51124290.exez25097920.exez49628910.exes12149436.exe

description	pid	process	target process
PID 4556 wrote to memory of 2412	4556	21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe	z51124290.exe
PID 4556 wrote to memory of 2412	4556	21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe	z51124290.exe
PID 4556 wrote to memory of 2412	4556	21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe	z51124290.exe
PID 2412 wrote to memory of 1420	2412	z51124290.exe	z25097920.exe
PID 2412 wrote to memory of 1420	2412	z51124290.exe	z25097920.exe
PID 2412 wrote to memory of 1420	2412	z51124290.exe	z25097920.exe
PID 1420 wrote to memory of 2736	1420	z25097920.exe	z49628910.exe
PID 1420 wrote to memory of 2736	1420	z25097920.exe	z49628910.exe
PID 1420 wrote to memory of 2736	1420	z25097920.exe	z49628910.exe
PID 2736 wrote to memory of 324	2736	z49628910.exe	s12149436.exe
PID 2736 wrote to memory of 324	2736	z49628910.exe	s12149436.exe
PID 2736 wrote to memory of 324	2736	z49628910.exe	s12149436.exe
PID 324 wrote to memory of 4592	324	s12149436.exe	1.exe
PID 324 wrote to memory of 4592	324	s12149436.exe	1.exe
PID 324 wrote to memory of 4592	324	s12149436.exe	1.exe
PID 2736 wrote to memory of 2784	2736	z49628910.exe	t01272710.exe
PID 2736 wrote to memory of 2784	2736	z49628910.exe	t01272710.exe
PID 2736 wrote to memory of 2784	2736	z49628910.exe	t01272710.exe

C:\Users\Admin\AppData\Local\Temp\21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe
"C:\Users\Admin\AppData\Local\Temp\21a8d607902f262805472ecb0e61d94ed60b44889ddde879bd76d760a00385a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z51124290.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z51124290.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25097920.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25097920.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z49628910.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z49628910.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s12149436.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s12149436.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Executes dropped EXE
        
        PID:4592
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 1512
        6⤵
        Program crash
        
        PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t01272710.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t01272710.exe
        5⤵
        Executes dropped EXE
        
        PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 324 -ip 324
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z51124290.exe

Filesize
1.0MB

MD5
eb6a1e26aa23f9db01dd5cbbe27397f3

SHA1
51b9dc4067d2bce38d7d5c9a389af61c2edde799

SHA256
de34b96d1c986eefe000eab190fa0014b794a28f4193e3fb6b61f1ca3e4c3d3b

SHA512
aab8350146e3ec09a2bced56294725b75f8359daeefd4c570f293f1bb6d20b4642482d23f048c9820a67552151671a914ebdbb94f051dfbf41b4e6aff567d4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z51124290.exe

Filesize
1.0MB

MD5
eb6a1e26aa23f9db01dd5cbbe27397f3

SHA1
51b9dc4067d2bce38d7d5c9a389af61c2edde799

SHA256
de34b96d1c986eefe000eab190fa0014b794a28f4193e3fb6b61f1ca3e4c3d3b

SHA512
aab8350146e3ec09a2bced56294725b75f8359daeefd4c570f293f1bb6d20b4642482d23f048c9820a67552151671a914ebdbb94f051dfbf41b4e6aff567d4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25097920.exe

Filesize
763KB

MD5
0b3a5269b1c373588c42c0e85ab8a11a

SHA1
2ccc0b710d51ca605ffcf5a10d16fba1f909fa7f

SHA256
d477c14d429d2def9b7d928c38c4c474c0c96c5a8c1c4afaa97954d160471bea

SHA512
9dd02b780efc05719ba49baeaf850d3229d1f57007378c9406812a35e5fd9a82ade6dd972a3ac859f71a6fc4cbbc4ce2e15ebaa283ed9abb396bb11b983ecda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z25097920.exe

Filesize
763KB

MD5
0b3a5269b1c373588c42c0e85ab8a11a

SHA1
2ccc0b710d51ca605ffcf5a10d16fba1f909fa7f

SHA256
d477c14d429d2def9b7d928c38c4c474c0c96c5a8c1c4afaa97954d160471bea

SHA512
9dd02b780efc05719ba49baeaf850d3229d1f57007378c9406812a35e5fd9a82ade6dd972a3ac859f71a6fc4cbbc4ce2e15ebaa283ed9abb396bb11b983ecda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z49628910.exe

Filesize
581KB

MD5
8d410a2e99b428ecd3c7a9cbe9b831a3

SHA1
46c45e98623f9275769e99aa83433db16b72f8cc

SHA256
baa0db8dbd7d2bc7c3a6477a59676820517bc3d05c62a447a7c658a4c4c25ed5

SHA512
93f962a11caa5b338487b7c254e2ecbf038a3717263e0fe0f45eccdabda2bf199e5398308e9b66451c5dd21cdcca8aacbd59ee73b8fe054b88fffe9a9fc9e41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z49628910.exe

Filesize
581KB

MD5
8d410a2e99b428ecd3c7a9cbe9b831a3

SHA1
46c45e98623f9275769e99aa83433db16b72f8cc

SHA256
baa0db8dbd7d2bc7c3a6477a59676820517bc3d05c62a447a7c658a4c4c25ed5

SHA512
93f962a11caa5b338487b7c254e2ecbf038a3717263e0fe0f45eccdabda2bf199e5398308e9b66451c5dd21cdcca8aacbd59ee73b8fe054b88fffe9a9fc9e41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s12149436.exe

Filesize
580KB

MD5
72c56ae3429cd019b76668eecdcf5f48

SHA1
9093d5d35fb130857ea761ef323ac33dea1822cb

SHA256
213eeca14abdf10e42af14fb29d2e5ab31ab2b3053fe71e9227295a57b674207

SHA512
4a9bbdf16374e2e9ceca462371cedb58468cdcc9a90f62814be564695d3d13acae899834f5c209e822c30b263d3c49e05b6e586885133421c389ce9838e81e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s12149436.exe

Filesize
580KB

MD5
72c56ae3429cd019b76668eecdcf5f48

SHA1
9093d5d35fb130857ea761ef323ac33dea1822cb

SHA256
213eeca14abdf10e42af14fb29d2e5ab31ab2b3053fe71e9227295a57b674207

SHA512
4a9bbdf16374e2e9ceca462371cedb58468cdcc9a90f62814be564695d3d13acae899834f5c209e822c30b263d3c49e05b6e586885133421c389ce9838e81e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t01272710.exe

Filesize
169KB

MD5
8583e856338a56a594cfe637f95e4f2a

SHA1
79412218189e77641011ff5608f958a9f7ce5adc

SHA256
c80e1a58b3af5a91247794dd97de5af7f69ecafaee6d707b26205231f4354674

SHA512
5d24ce8421a9a99e5a7dcccc627b0560960f2ed8d8c1c7a256d19ec7bf35a29e08e72d489f6352615543855b9e4d97255f44488ab23697877dcb22c4c17c594a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t01272710.exe

Filesize
169KB

MD5
8583e856338a56a594cfe637f95e4f2a

SHA1
79412218189e77641011ff5608f958a9f7ce5adc

SHA256
c80e1a58b3af5a91247794dd97de5af7f69ecafaee6d707b26205231f4354674

SHA512
5d24ce8421a9a99e5a7dcccc627b0560960f2ed8d8c1c7a256d19ec7bf35a29e08e72d489f6352615543855b9e4d97255f44488ab23697877dcb22c4c17c594a

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
f16fb63d4e551d3808e8f01f2671b57e

SHA1
781153ad6235a1152da112de1fb39a6f2d063575

SHA256
8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

SHA512
fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

Download Submit
memory/324-172-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-220-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-170-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-167-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-174-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-176-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-178-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-180-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-182-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-184-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-186-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-188-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-190-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-192-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-194-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-196-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-198-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-200-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-202-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-204-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-206-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-208-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-210-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-212-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-214-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-216-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-218-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-168-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-222-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-224-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-226-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-228-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-230-0x00000000054F0000-0x0000000005550000-memory.dmp

Filesize
384KB

Download
memory/324-2315-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-166-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-165-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-164-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-162-0x0000000000920000-0x000000000097B000-memory.dmp

Filesize
364KB

Download
memory/324-2328-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-2329-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-2330-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-2332-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/324-163-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/2784-2346-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2784-2347-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/2784-2349-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4592-2338-0x0000000004D90000-0x0000000004E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-2339-0x0000000004940000-0x0000000004952000-memory.dmp

Filesize
72KB

Download
memory/4592-2340-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/4592-2341-0x00000000049D0000-0x0000000004A0C000-memory.dmp

Filesize
240KB

Download
memory/4592-2337-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/4592-2327-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/4592-2348-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download